It's nice to see someone take it on the chin and accept responsibility. It's so easy to shift blame or mitigate fault in your apology, and so hard to resist giving excuses. Shows a good grasp of logic and reasoning to do so, and a strong will to bite your tongue.

Not everyone will be happy with the apology and their actions--and likely, not everyone should be--but it's a good step, I'd wager.

I was impressed with how they handled it during events, and despite everyone in the gaming community and media immediately blaming "Anonymous", they obstinately refused to implicate anyone until more was known. They went so far as to state that any signs of "Anonymous" having done it could easily have been planted to cause confusion. They handled that well, and didn't take an easy copout of trying to point a finger and ease the blame on themselves.

Around the three minute mark he did point out the hackers are always hacking things, like they do, but he didn't repeat the meme I've been hearing lately that "no network can ever be secure".

Not so much a meme but simple truth. It's also true that networks can usually be secured just enough for the requirements of the use-case.

Good solution to the PSN password problem.

Debatable.

One group of people had (or might have) the password for everyone else.

This. This should never have happened. It's a n00b mistake to store plaintext passwords; any half-witted security engineer will tell you not to do it. That Sony has someone done it is unforgivable, in terms of trusting their security solutions.

From their standpoint, how could you ever be sure of anyone's credentials ever again?

They can't. They never could. You can sign up to PSN without any meaningful proof of who you are, so that hasn't actually changed much.

I'm not a security expert, ...

indeed.

... but I think their solution to the password problem is a good one.

It isn't, though.

You have to change your password when you log in again. You can only do so from the machine you've been using.

You think. Sony wants. It's a password-based authentication system, and the authenticity of the person trying to change the password is "proven" based on their old password.

The "machine" part can be faked. It'll take a bit to find out how to fake it; you'd better change your password before someone does that.

This means a hacker with the full list of passwords can't log in and pretend to be any of those people, even though he's got their login.

And that is not the problem. The problem is that most people re-use the same password (or almost the same password) over and over again. I doubt the PSN hackers cared about hacking PSN; I'm fairly sure they cared about obtaining email addresses, user names and passwords. Now they can use that to pay with your paypal account, read your email, harvest more information from your facebook account, etc. That's where the value of having stolen passwords lies.

Having said all the above, I don't think Sony responded particularly badly. They did what you need to do: shut down (ignore the cost of that), and hire someone who knows what they're doing to perform an audit. Engineer a solution for people to regain control over their account. Apologize.

But the damage is already done, and because of a painfully silly oversight. That doesn't really make me feel warm and fuzzy inside about whatever they've replaced their system with.

This is probably the first real positive reaction I've seen to the return of PSN. So far all I've heard is entitled brats moaning about how 2 weeks without PSN has ruined their lives and how the welcome back bonus doesn't even come anywhere near healing the gaping mental scars of this whole fiasco (which they will probably forget about in a few months). Good to see someone is actually being mature about it.

That's an awful lot of excuse making for a multinational corporation that was insanely negligent with the personal information of tens of thousands of people from all over the world.

If the rumours about their "network security" are true (unpatched/old versions of both Apache and RedHat, credit card and account information sent as GET requests albeit over HTTPS), then it serves to reinforce the notion that Sony just doesn't care. They wanted it done fast and cheap, and didn't care if the consumer got fucked over. Worse still, it seems they didn't even consider that as a possibility.

Don't get me wrong, everybody is entitled to their own opinion. I just happen to vehemently disagree with the one presented in this article. In fact, I'm proud to say that I haven't bought anything with the name "SONY" on it since about 2006; And will continue not to do so until they actually start acting like they give a damn.

One admission of guilt doesn't make it all go away. I find it inconceivable that people have already forgotten that they waited days to admit to anything.

9. They are talking directly to the customer, and only the customer. They didn't work in any language for the benefit of shareholders. They weren't trying to speak to both groups with the same message. There's nothing here about protecting value or building brands or securing assets. You can walk away from this with the impression that Sony doesn't give a damn about what happens to them, as long as you're okay.

How can that seriously be spun as a positive? They waited ages to tell people who had bought their hardware that there was a real problem, and have (as of yet) not told the people who actually bought into the company anything... And we should be proud of them for that?

I found it to be the height of hubris arrogant that after the breach they hired not one, not two, but THREE external security firms to comb through their network. From my perspective, the company is simply too big to inter-communicate (in fact, evidence of this can be seen from their cell phone division Sony Ericsson, who after the breach tried to distance themselves from the rest of the company by openly encouraging Linux on their phones some time after the breach). This lack of communication leads to half finished, or simply outright incomplete products being sent out to retail. It could even be seen as the reason they removed OtherOS altogether; The lawyers and higher ups perceived a threat, and removed a feature that many (including the US Military) were using as advertised on the retail box.

Addendum: I will say that their offer of a few free PSN games is more than fair (with the month of PSN+ debateably being advertising for the paid service). PSN doesn't cost anything, but not having it sucked really hard for a lot of people, and it was very nice of them to offer at least something in the ways of compensation.

I'll also just say that I'm not a lawyer or anything like that. Simply a pissed-off consumer.

I think the big thing of why that message works so well is that they had Kazuo Hirai deliver the message. He was a good choice, as even though I still can't hear him speak without a little voice in my head going "RIIIIIIIIIIIIIIIIIIIDGE RACER!" or "FIVE HUNDRED NINETY NINE US DOLLARS!", he actually seems like a decent human being and truly comes off as sorry for the whole incident.

Imagine if they had gotten Jack Tretton to deliver the message... I imagine it would have gone something like, "PS3 is the best thing ever, quit whining about the network being down because you still have the best blu-ray player ever. And to those of you who went and got a 360 to play on while you wait, you're just as lacking in self-respect as all those Nintendo DS owners." Or something extremely rude and condescending like all his interviews and E3 presentations seem to be.

So, you think it's exaggerated self-confidence to say "Okay, we're in over our heads here. We need lots of help from experts to make sure our network is far more secure than it was previously"? Could you explain that one to me please, because I'm not understanding your thought process here at all.

sunami88:They hired three companies? One wasn't good enough? Is the network so complex that one firm simply could not secure the whole thing?

Oh, I see. You're just making random assumptions about things you have absolutely no knowledge about (in this case, the size and complexity of PSN). My bad, I was taking what you had to say seriously.

WTF, how is it hubris to high outside firms to help you when you are in over your head. It would b hubris to NOT hire them and think they could fix it themselves. Do you understand that word?

They hired three companies? One wasn't good enough? Is the network so complex that one firm simply could not secure the whole thing?

How arrogant of them to spend ridiculous amounts of money to fix the problem as fast as they could....the hubris...

Sorry Sunami, that's rude and sarcastic. Hubris is when you are so arrogant you cant accept your own shortcomings or ignore outside advice because you think you are just tops. Nobodys saying their network wasnt jacked or they didnt mess up. But even hiring 1 company is the opposite of hubris. Hiring 3 is about as far from hubris as you can get.

@All;Perphaps hubris was the wrong word to use. It certainly seems to be judging by the number of people jumping down my throat. I just found it arrogant that they had to go out and get three companies to complicate a job that just one of them would have been capable of doing. They could have then hired another afterwards to check the firsts work, but instead decided that no less than 3 companies were needed to go over their work.

It's really what brought me to my next point. I've always seen them as a company that had trouble communicating, and found it funny when instead of getting one company to do one job, they got three. That must've been a lot of memo's to read through.

sunami88:@All;Perphaps hubris was the wrong word to use. It certainly seems to be judging by the number of people jumping down my throat. I just found it arrogant that they had to go out and get three companies to complicate a job that just one of them would have been capable of doing. They could have then hired another afterwards to check the firsts work, but instead decided that no less than 3 companies were needed to go over their work.

It's really what brought me to my next point. I've always seen them as a company that had trouble communicating, and found it funny when instead of getting one company to do one job, they got three. That must've been a lot of memo's to read through.

Think of this. They hire one company, they say, we can do this but with our staff it will take 4 months. So they hire firm 2 to get the manpower to do it faster. Same with 3, or perhaps they found some new problem and needed more people.

EVERYONE is pissed at them for PSN being down. It isnt arrogant to hire all the people you need to get it done timely. With all the things you can be mad at Sony for about this it doesnt make any sense to be mad at them for spending the money to hire all the people they need to fix it.

It seems to me that they've done all they could to get things right and this video message is a good one.

Of course, it probably wouldn't have happened in the first place if Sony hadn't been dicking around with their customer base to begin with. If they're really smart, Sony will re-introduce the functionality of the PS3 as a Linux box or whatever, for those who wanted to do such a thing. And quit fighting over such trivialities.

bombadilillo:Think of this. They hire one company, they say, we can do this but with our staff it will take 4 months. So they hire firm 2 to get the manpower to do it faster. Same with 3, or perhaps they found some new problem and needed more people.

EVERYONE is pissed at them for PSN being down. It isnt arrogant to hire all the people you need to get it done timely. With all the things you can be mad at Sony for about this it doesnt make any sense to be mad at them for spending the money to hire all the people they need to fix it.

Perhaps. Money and people isn't always the answer, though. I don't see why they couldn't just get one team and work with them.

In fact, it made me wonder if they knew about the exploit on the password reset pages, but wrote it off as low risk because only one team informed them of it. Or they just figured that no one would notice and wanted everything to be done a little too quickly. Stuff like this is what I find arrogant.

And just to beat a dead horse; If bombadilillo's definition of "hubris" is correct, then it would seem that I got the word pretty far out of context. I simply thought it was synonymous with "arrogant".

Or maybe I'm just reading far too much into the whole thing. There just seem to be too many gaps in Sony's logic for it all to be coincidence.

One group of people had (or might have) the password for everyone else.

This. This should never have happened. It's a n00b mistake to store plaintext passwords; any half-witted security engineer will tell you not to do it. That Sony has someone done it is unforgivable, in terms of trusting their security solutions.

It wasn't in plaintext/cleartext, though, they've clarified on that. Really, everybody's been going around, saying Sony didn't update their servers, Sony did update their servers, they stored it in cleartext, they encrypted their data, whathaveyou. What's done is done, they got hacked and no amount of security would have prevented the eventual hackage. Maybe to minimize it, but who knows how secure it actually was.

But, regardless, Sony did respond to all this hooplah better than most companies. While many companies would hide behind their "No Comment" stuff, Sony was much more open with the breach, and apparently only 43% of companies detail breaches in security in a months time.

Still, Sony could have done better in other areas. They didn't communicate to their customers as well as they should have, leaving us in the dark for days on end without any sort of update other than "We're working day and night/tirelessly/around the clock" and only communicating through their blog and twitter. I severely doubt that 70+ people check their blog, or even know they have a blog.

Shamus is right, as he usually is. Though I'll take exception for entire experienced points article being lifted directly from a post at Twenty Sided. Still, given how much Shamus does in a week, I think we can let it slide.

And yeah, PSN is handling the clean-up of this really well. Have they learned their lesson though? Only time will tell. Sometimes people forget that the reason Sony is in this market, the reason they had room to grow is because around the mid to late 90's, Nintendo's official business plan was "We Are Lord Nintendo and F**k You!" That gave Sony their first real opportunity to nest and grow.

To Nintendo's credit, they DID learn a very real lesson which is apparently that you can't be arrogant AND stagnate, just one or the other. I don't know if they're any less arrogant than they were (going to hard into the casual market left some fans in the cold) but they at least strive to earn the right by always being the craziest, biggest gamblers in the market.

Sony, on the other hand, will never innovate in that manner. So their options are find new places to innovate, or to grow some actual humility.. For instance, they've always been great at dealing with third party developers. Perhaps finding new synergies there could set them apart, I dunno, I'm not an analyst. Or hey, Blu-Ray is an interesting proprietary, howabout actually doing something crazy with all that space?

Or they could just start treating their customers like people instead of dollar amounts, but that's crazy talk.

Scrustle:So far all I've heard is entitled brats moaning about how 2 weeks without PSN has ruined their lives.

Granted, I don't own a PS3 and don't think I ever will, but isn't PSN something they have to -pay- for? If so, it's a service that they -literally- are entitled to, so they have right to behave accordingly. The same would apply if their cable went out for two weeks, that's a service they paid for and they have a right to demand quality.

Of course, this argument is nulled if the PSN is a free service, I'm too lazy to check.

Scrustle:So far all I've heard is entitled brats moaning about how 2 weeks without PSN has ruined their lives.

Granted, I don't own a PS3 and don't think I ever will, but isn't PSN something they have to -pay- for? If so, it's a service that they -literally- are entitled to, so they have right to behave accordingly. The same would apply if their cable went out for two weeks, that's a service they paid for and they have a right to demand quality.

Of course, this argument is nulled if the PSN is a free service, I'm too lazy to check.

So yeah. The PSN has been free since the PS3 was out.

...not much more to say. I usually research stuff before I start posting on topics though. I mean, it's just one google search to learn if it was free.

OT: Sony handled this thing great on the PR side, you kidding me? I love 'em more than ever now.

Scrustle:So far all I've heard is entitled brats moaning about how 2 weeks without PSN has ruined their lives.

Granted, I don't own a PS3 and don't think I ever will, but isn't PSN something they have to -pay- for? If so, it's a service that they -literally- are entitled to, so they have right to behave accordingly. The same would apply if their cable went out for two weeks, that's a service they paid for and they have a right to demand quality.

Of course, this argument is nulled if the PSN is a free service, I'm too lazy to check.

Psn is free. There's some psn plus stuff I heard of that costs something, but I don't know.Anyway, I think that even if it's free and it's been taken away, you can always mutter something...

sunami88:I don't see why they couldn't just get one team and work with them.

My point exactly. You don't see why they couldn't do this or do that because you have no idea what they did or didn't need. You have no idea what they did and didn't do. So stop acting like you know 100% that they could have done it as quickly with just one firm instead of three.

Apparently, a large amount of people posting in this thread are insiders in Sony, and know everything about Sony's security for the PSN. I mean, it's not like they could be making assumptions based off of unconfirmed, ignorant reports from vague news sources and/or blogs.

I'm not seeing where any of those articles describe in detail what security measures Sony had or has in place. For example, you've linked an article which reports that Amazon's cloud server was employed in the attack. That's great to know, but it doesn't tell us a thing about what Sony's security measures were at the time it was attacked. It only tells us how the attacked was made.

The mere fact that Sony's network was successful attacked doesn't tell us a thing about how secure that network was. If being unable to successfully guard against any and all attacks was the standard, then no network is secure. Any and every network can be successfully attacked.

Thanks for posting this. It's nice to hear a reasoned, even-handed response. Ensuring that Sony takes responsibility for the attack isn't the same as assigning blame... and it isn't the same as hating Sony. They've handled this all pretty well, considering.

sunami88:I don't see why they couldn't just get one team and work with them.

My point exactly. You don't see why they couldn't do this or do that because you have no idea what they did or didn't need. You have no idea what they did and didn't do. So stop acting like you know 100% that they could have done it as quickly with just one firm instead of three.

Just like no one has any real idea about the subject in which those firms specialize. One could specialize in forensics (i.e., determining how the attack occurred) and another could specialize in security (i.e., determining how to avoid future attacks to the extent possible). Why is anyone assuming that they all specialize in the same subject? To hear some people talk, you'd think they know more about what's going inside the bowels of Sony than does Howard Stringer.